Hi,
The ROA specification (RFC 6482 § 4) is a bit underspecified, but in the
wild the RFC 3779 AS Resources extension never ever appears on ROA EE
certificates, as it serves no purpose in the validation process. I've
seen it happen once, in the past, which was a CA mistake.
Related reading material in the 3779 space:
The BGPSec profile (RFC 8209 § 3.1.3.4) is better in this regard: it
explicitly forbids NID_sbgp_ipAddrBlock from being present (rpki-client
checks this), and the upcoming ASPA RFC will also be less ambigious,
ASPA forbids NID_sbgp_ipAddrBlock too (my WIP ASPA code checks this).
OK?
Kind regards,
Job
Index: roa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
retrieving revision 1.47
diff -u -p -r1.47 roa.c
--- roa.c 10 Jun 2022 10:36:43 -0000 1.47
+++ roa.c 10 Aug 2022 13:49:58 -0000
@@ -229,6 +229,12 @@ roa_parse(X509 **x509, const char *fn, c
goto out;
}
+ if (X509_get_ext_d2i(*x509, NID_sbgp_autonomousSysNum, NULL, NULL)
+ != NULL) {
+ warnx("%s: superfluous AS Resources extension present", fn);
+ goto out;
+ }
+
at = X509_get0_notAfter(*x509);
if (at == NULL) {
warnx("%s: X509_get0_notAfter failed", fn);
